End-to-End Analysis of a Domain Generating Algorithm Malware Family

Select malware families have used Domain Generating Algorithms (DGAs) over the past few years in an effort to evade traditional domain blacklists, allow for fast-flux domain registration and usage, and evade analysts’ abilities to predict attackers’ control servers. While novel work has been done by both private industry and academia with respect to detecting DGA-related network traffic, this presentation demonstrates end-to-end analysis of a DGA malware family, from binary deobfuscation to DGA analysis, to sinkholing, to domain registrant research, to attribution of the malware’s author and accomplices.

The malware family discussed in this presentation has thousands of active variants currently running on the Internet and has managed to stay off of the radar of all antivirus firms. Missed this presentation at Black Hat 2013? Take a look at the slides from Jason Geffner's session. This presentation brought to light how this malware is tied to an underground campaign that has been active for at least the past six years.

I'll tell you right now (and I've got proof), that anyone who tells you "size doesn't matter to women" is flat out lying to your face and trying to make you feel better... Heck, just recently I asked a focus group of women via an anonymous online survey if size matters, and again and again they said "Oh my god, I HATE IT when it's SMALL." For a long time I didn't know what to tell the guys who'd write in to me and ask how to get "bigger." I'd say something lame like "Women actually like guys who are smaller... you just have to get good with your hands." Then I found "THE BIBLE of Penis Enlargement" by this guy named John Collins ■■■ http://ishbv.com/pebible/pdf

The methods and techniques in the PE Bible are exclusive to this unique program. The two step system involves low cost off the shelf natural supplements and a specially designed exercise program. Many users experience gains of almost an inch within just a few weeks of starting this unique program! Imagine having 2-4 inches of extra length and girth added onto your penis size, this Penis Enlargement Bible makes it possible. Over 5000 copies of this product have already been sold, and unlike most products on the market there is real video proof from actual users that show REAL results. You can see the video here ◆◆◆ http://ishbv.com/pebible/pdf

5.
New DGA Family
• In February of 2013, a major American ﬁnancial
services ﬁrm received a suspicious email with an EXE
ﬁle attachment
• Firm’s CISO sent the attachment to their “global cyber
intelligence” partner, who had trouble analyzing it:
“It is the obfuscation that is throwing redacted oﬀ.”
• As a result, the CISO forwarded it to us
REDACTED

9.
Code Deobfuscation
• Find all basic legitimate variables
• Function arguments to the current function
• Global variables
• Local function variables used as parameters to function calls
• Local function variables that store return values of function calls
• All other local function variables considered legitimate if
their values are read from or written to other legitimate
variables

23.
Authorship Clues in Decrypted Strings
• Template string for copied ﬁle name is
“XZSEQWSpulaosugiingat.exe”
• “pula o sug i în gât” loosely translates from
Romanian to English as “suck a dick in your
throat”

24.
Authorship Clues in Decrypted Strings
• However, a Romanian is more likely to say, “suge
pula în gât”
• “pula o sug i în gât” is more likely the wording a
Romani would use
• Additionally, a Romanian is more likely to say
“pizda” than “pizd”; a Romani would say “pizd”

26.
Domain Generating Algorithm
• All variants of family contain identical 384-word
list of common English words, decrypted at run
time
• Domain names created by concatenating two
pseudo-randomly selected words and
appending “.net” to the end

31.
Malware’s Use of DGA
• If the server’s response contains the correct
ﬁngerprint, the malware requests the same URL
again
• If the server’s second response contains the
correct ﬁngerprint, the malware saves the
downloaded content as an EXE and executes it

39.
Domain Analysis
• All domains registered 0-48 hours before DGA pointed
to them
• Identical registrant names and addresses used for
several domains, with semi-random phone numbers
corresponding to city area code

41.
Historic WHOIS Research
• 7 of the 20 domains hosted blank root webpages
during WHOIS research
• 3 of the 20 domains’ webservers were down
during WHOIS research
• The other 10 domains all hosted content for
“GlobalPartners Hungaria K.”

45.
Scanning All DGA Domains
• Scanned root webpage of all 32,768 possible DGA domains
for “GlobalPartners”
• Found 44 additional domains, for a total of 64 campaign
domains
• All but two registered through a Yahoo! Small Business
hosting plan
• All domains registered for exactly one year
• Oldest domain registered on February 3rd, 2013

46.
Campaign Domain Registrant Email Addresses
• Email addresses primarily fall into one of four categories
1. Related to name of domain’s registrant
(marcosuriano21@yahoo.com for Marco Suriano)
2. Related to name of another domain’s registrant, likely a mistake
made by adversary
(ike2ricchio4@yahoo.com for Kai Roth)
3. Related to domain name
(degreeanimal@yahoo.com for degreeanimal.net)
4. Related to domain name of another domain
(degreeanimal@yahoo.com for nightwagon.net)

48.
Previously Researched Campaign History
• Further investigation leads to research on anti-fraud site
http://www.bobbear.co.uk/

49.
Extended Campaign History
• March 2013
• March 2013
• February 2013
• January 2013
• September 2012
• July 2011
• April 2011
• November 2009
Trust Core
Mojo Directo
GlobalPartners
Anatara Group
Ahai Group
Azure Holding Group
KPL
Logicom
• May 2009
• February 2009
• December 2008
• November 2008
• June 2008
• January 2008
• September 2007
• May 2007
RBS Partners
FastWire Group
INTRACOM
MTK
ITP
International Wire
INT Group
Interpay Group

50.
Antivirus Detections
• Malware appears to have begun circulating in
February 2013
• Our analysis conducted in February and early March of
2013
• Avast discovered a variant of it in June of 2013 -
https://blog.avast.com/2013/06/18/your-facebook-
connection-is-now-secured/

52.
Conclusion
• DGA downloader likely authored by Romani male, who appears to be
working with a long-running European money mule crime syndicate
• Another component apparently harvests email addresses, builds the
DGA component, and emails it to target recipients
• DGA domains appear to be registered using stolen credit card
numbers
• Inlined code obfuscation can be defeated with new CrowdDetox
plugin for Hex-Rays